b"                       AUDIT OF SBA\xe2\x80\x99S PLANNING AND ASSESSMENT\n                                  FOR IMPLEMENTING\n                         PRESIDENTIAL DECISION DIRECTIVE 63\n\n                                        AUDIT REPORT NO. 1-09\n\n                                              MARCH 26, 2001\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and must not be released\nto the public or another agency without permission of the Office of Inspector General.\n\x0c                        U.S. SMALL BUSINESS ADMINISTRATION\n                            OFFICE OF INSPECTOR GENERAL\n                                WASHINGTON, D.C. 20416\n\n\n\n                                                                    AUDIT REPORT\n                                                          Issue Date: March 26, 2001\n                                                          Number: 1-09\n\n\nTo:            Lawrence E. Barrett, Chief Information Officer\n\n\nFrom:          Robert G. Seabrooks, Assistant Inspector General for Auditing\n\nSubject:       Audit of SBA\xe2\x80\x99s Planning and Assessment for Implementing Presidential Decision\n               Directive 63\n\n        As part of a government-wide initiative, sponsored by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency (PCIE) and Executive Council on Integrity and Efficiency (ECIE), we\ncompleted the second of four planned audits of SBA\xe2\x80\x99s critical infrastructure protection program.\nThe first audit covered SBA\xe2\x80\x99s planning and assessment activities for protecting its critical,\ncyber-based infrastructure. This audit covered the planning and assessment activities for\nprotecting the critical, physical (non-cyber-based) infrastructure. The third and fourth audits will\naddress implementation activities, i.e., risk mitigation, emergency management, interagency\ncoordination, resource and organization requirements, recruitment, education and awareness.\n\n                                         BACKGROUND\n\n         Presidential Decision Directive 63 (PDD 63), issued in May 1998, calls for a national\neffort to assure the security of the United States\xe2\x80\x99 critical infrastructures. Critical infrastructures\nare the physical and cyber-based systems essential to the minimum operations of the economy\nand government. They include, but are not limited to, telecommunications, banking and finance,\nenergy, transportation, and essential government services. PDD 63 requires every department\nand agency of the Federal Government to develop and implement a plan for protecting its own\ncritical infrastructure \xe2\x80\x93 also known as minimum essential infrastructure (MEI).\n\n         The Critical Infrastructure Assurance Office (CIAO), an interagency office established to\nassist in the development of a national plan for protecting the country\xe2\x80\x99s critical infrastructure\ndefines MEI as \xe2\x80\x9cthe framework of critical organizations, personnel, systems, and facilities that\nare absolutely required in order to provide the inputs and outputs necessary to support the core\nprocesses, essential to accomplishing an organization's core mission as they relate to national\nsecurity, national economic security or continuity of government services.\xe2\x80\x9d\n\x0c       SBA\xe2\x80\x99s Computer Security Program Manager, who reports to the Chief Information\nOfficer, has been designated the Critical Infrastructure Assurance Officer with overall\nresponsibility for protecting SBA\xe2\x80\x99s critical infrastructure.\n\n                                 RESULTS OF PRIOR AUDIT\n\n         In September 2000, we reported that SBA had made significant progress toward\nimplementing key aspects of PDD 63, and that it needed to (1) complete the identification of its\ncritical infrastructure, (2) perform vulnerability assessments, (3) complete remedial plans, (4)\nupdate the Critical Infrastructure Protection Plan, (5) develop a multi-year funding plan, and (6)\ninclude infrastructure assurance in its strategic planning and performance measurement\nframework.\n\n        In October 2000, SBA revised its Critical Infrastructure Protection Plan and took other\nsteps to address these recommendations. These actions, however, focused on the Agency\xe2\x80\x99s\ncyber-based infrastructure, not the physical (non-cyber-based) infrastructure.\n\n                      OBJECTIVES, SCOPE AND METHODOLOGY\n\n         The objective of this audit was to determine whether SBA\xe2\x80\x99s planning and assessment\nactivities for protecting its critical, physical infrastructure meet the requirements of PDD 63. To\naccomplish this, we reviewed the Agency\xe2\x80\x99s Critical Infrastructure Protection Plan (CIPP) and\nrelated material, and interviewed SBA personnel associated with these products. We conducted\nthe review following guidance provided by the PCIE / ECIE working group on critical\ninfrastructure assurance. That guidance incorporated criteria from PDD 63, \xe2\x80\x9cThe National Plan\nfor Information Systems Protection,\xe2\x80\x9d various Executive Orders and circulars, GAO, and relevant\nlaws and regulations. Fieldwork was performed at SBA\xe2\x80\x99s Central Office in Washington, DC\nfrom January to March 2001. The audit was conducted in accordance with Government\nAuditing Standards.\n\n                                       AUDIT RESULTS\n\n         SBA has continued making progress toward implementing PDD 63 requirements, but its\nfocus has been on protecting the Agency\xe2\x80\x99s critical, cyber-based infrastructure. To fully comply\nwith PDD 63, the Agency needs to expand its infrastructure protection efforts to address its\ncritical, physical infrastructure.\n\nEfforts to Date Have not Focused on Physical MEI\n\n        SBA\xe2\x80\x99s Critical Infrastructure Protection Plan (CIPP), revised in October 2000, focuses on\nprotecting the Agency\xe2\x80\x99s cyber-based infrastructure; the plan identifies mainframe computer\nsystems, and Local and Wide Area Networks as the critical, cyber-based assets supporting the\nfive identified Minimum Essential Critical Programs. The CIPP does not address the physical\nassets (e.g. personnel and facilities) supporting these Minimum Essential Critical Programs. The\nfocus on cyber-based systems was primarily due to PDD 63's emphasis on such systems. The\nAgency does, however, recognize the need to address physical MEI and has started to\n\n\n\n                                                 2\n\x0cconcentrate its efforts in that direction. In addition, many of the activities needed for protection\nof the critical, physical infrastructure (e.g. building security and fire prevention) are in place, but\nhave not been integrated into the critical infrastructure protection program.\n\n        According to the Critical Infrastructure Assurance Office, a key first step in the process\nof protecting critical infrastructure is \xe2\x80\x9cdetermining what information systems, data, and\nassociated assets \xe2\x80\x93 facilities, equipment, personnel \xe2\x80\x93 constitute the critical infrastructure\xe2\x80\xa6.\xe2\x80\x9d\n[emphasis added]. After the critical physical infrastructure is identified, vulnerability\nassessments should be performed, remedial plans developed, resource requirements identified,\nand policies and procedures updated as necessary.\n\nNeed to Coordinate with the General Services Administration\n\n        PDD 63 and \xe2\x80\x9cThe National Plan for Information Systems Protection\xe2\x80\x9d call for agencies to\nestablish effective CIP coordination with other applicable entities. Protection of SBA\xe2\x80\x99s physical\ninfrastructure, in particular, requires coordination with the General Services Administration\n(GSA). This is because, while SBA is responsible for protecting its physical infrastructure, GSA\nis responsible for the security of the Federal and leased buildings in which SBA operates.\nBecause SBA\xe2\x80\x99s PDD 63 efforts to date have not focused on the physical infrastructure, the\nAgency has yet to coordinate with GSA. Without effective coordination, the effectiveness and\nefficiency of SBA\xe2\x80\x99s infrastructure protection program may be diminished by either non-\nperformance or duplication of key functions.\n\nRecommendations:\n\nWe recommend that the Chief Information Officer ensure that the Chief Infrastructure Assurance\nOfficer:\n\n1.     Revise the CIPP to address protection of the Agency\xe2\x80\x99s physical MEI. The revised plan\n       should provide milestones and responsibilities for identification of physical MEI,\n       performance of vulnerability assessments, development of remedial plans, determination\n       of resource requirements, and updating of policies and procedures as necessary.\n\n2.     Coordinate physical infrastructure protection efforts with the General Services\n       Administration.\n\n                                  SBA Management\xe2\x80\x99s Comments\n\n        SBA\xe2\x80\x99s Chief Information Officer agreed with the recommendations and stated that his\noffice has already taken steps to address the issues. The Chief Information Officer\xe2\x80\x99s response is\nincluded as Attachment 1.\n\n                       OIG Evaluation of SBA Management\xe2\x80\x99s Comments\n\n       The Chief Information Officer\xe2\x80\x99s comments are responsive to our recommendations.\n\n\n\n\n                                                   3\n\x0c                                            ***\n        The findings included in this report are the conclusions of the Office of Inspector\nGeneral\xe2\x80\x99s Auditing Division based upon the auditor\xe2\x80\x99s testing of the Agency\xe2\x80\x99s Critical\nInfrastructure Protection Plan and related materials. The findings and recommendations are\nsubject to review and implementation of corrective action by your office following the\nexisting Agency procedures for audit follow-up and resolution.\n\n        Please provide your management decision for each recommendation within 30 days.\nYour management decisions should be recorded on the attached SBA Forms 1824,\n\xe2\x80\x9cRecommendation Action Sheet\xe2\x80\x9d, and show either your proposed corrective action and target\ndate for completion, or explanation of your disagreement with our recommendations.\n\n       Should you or your staff have any questions, please contact Robert G. Hultberg, Director,\nBusiness Development Programs Group at (202) 205-7204.\n\n\nAttachments\n\n\n\n\n                                               4\n\x0c\x0c                                                                                                                          Attachment 2\n\n\n                                                 REPORT DISTRIBUTION\n\n\nRecipient                                                                                                 No. of Copies\n\n\nAssociate Deputy Administrator for Management and Administration ..................1\n\nOffice of the Chief Financial Officer\nAttention: [FOIA Ex. 6]..........................................................................................1\n\nGeneral Counsel.......................................................................................................2\n\nU.S. General Accounting Office..............................................................................1\n\n\n\n\n                                                                                                              FOIA Ex. 6\n\x0c"